itheCreator1
diff --git a/‎docs/SecurityHeadersBestPractices.md‎
Lines changed: 90 additions & 1 deletion b/‎docs/SecurityHeadersBestPractices.md‎
Lines changed: 90 additions & 1 deletion
diff --git a/‎sha/analyzers/__init__.py‎
Lines changed: 12 additions & 0 deletions b/‎sha/analyzers/__init__.py‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎sha/analyzers/x_download_options.py‎
Lines changed: 102 additions & 0 deletions b/‎sha/analyzers/x_download_options.py‎
Lines changed: 102 additions & 0 deletions
@@ -163,6 +163,92 @@ Without Referrer-Policy, clicking any external link would send this full URL (in
 
 ---
 
+## 6. X-XSS-Protection
+
+**Purpose:** Legacy header that controlled browser XSS filters in Internet Explorer, Chrome, and Safari. Now deprecated in modern browsers.
+
+**Best Practice:**
+```
+X-XSS-Protection: 0
+```
+Explicitly disables the XSS filter. This is the modern recommendation because these filters can introduce XSS vulnerabilities in otherwise safe websites.
+
+**Acceptable:**
+Not setting the header at all is acceptable for modern applications that implement a strong Content-Security-Policy.
+
+**Bad/Missing:**
+- `X-XSS-Protection: 1` (enables the filter without mode=block, can create vulnerabilities)
+- `X-XSS-Protection: 1; mode=block` (legacy approach, filter can introduce bugs)
+
+**Severity if Missing:** Low
+
+**Reasoning:** Modern browsers have removed XSS filter functionality, and Content-Security-Policy provides superior protection. However, explicitly setting `0` prevents older browsers from using potentially buggy XSS filters. OWASP recommends either not setting this header or explicitly disabling it with `0` to avoid filter-based vulnerabilities.
+
+**References:**
+- [OWASP: X-XSS-Protection](https://owasp.org/www-project-secure-headers/)
+- [MDN: X-XSS-Protection](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
+
+---
+
+## 7. X-Download-Options
+
+**Purpose:** Internet Explorer 8+ specific header that prevents the browser from executing downloaded HTML files in the context of the site. Prevents Same Origin Policy violations during file downloads.
+
+**Best Practice:**
+```
+X-Download-Options: noopen
+```
+Forces users to save the file before opening it, preventing execution in the site's security context.
+
+**Acceptable:**
+Same as best practice. This header has only one valid value: `noopen`.
+
+**Bad/Missing:**
+- Header not present when serving user-controllable HTML content with `Content-Disposition: attachment`
+- Any value other than `noopen`
+
+**Severity if Missing:** Low
+
+**Reasoning:** When a user directly opens a downloaded HTML file in IE, scripts in that file can access cookies from the originating domain. This violates the Same Origin Policy by allowing the downloaded file to execute as if it were part of the website. Setting this header forces the save-then-open workflow, ensuring downloaded files execute in a local context. While IE-specific and legacy, this header is still recommended when serving downloadable HTML content.
+
+**References:**
+- [OWASP: X-Download-Options](https://owasp.org/www-project-secure-headers/)
+- [Microsoft: X-Download-Options](https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/)
+
+---
+
+## 8. X-Permitted-Cross-Domain-Policies
+
+**Purpose:** Controls whether Adobe Flash Player, Adobe Acrobat, or PDF documents can load cross-domain policy files from the web server. Prevents untrusted Flash/PDF content from accessing site data.
+
+**Best Practice:**
+```
+X-Permitted-Cross-Domain-Policies: none
+```
+Completely prohibits Flash and PDF clients from loading any cross-domain policy files. Most secure option.
+
+**Acceptable:**
+```
+X-Permitted-Cross-Domain-Policies: master-only
+```
+Allows only the master policy file (`/crossdomain.xml`) to be loaded. Acceptable if you need to support legacy Flash/PDF content with controlled cross-domain access.
+
+**Bad/Missing:**
+- Header not present (allows policy files from any location)
+- `all`: Allows policy files from anywhere on the server (very insecure)
+- `by-content-type`: Allows policy files served with `Content-Type: text/x-cross-domain-policy` (too permissive)
+- `by-ftp-filename`: Allows policy files with specific FTP filenames (legacy, insecure)
+
+**Severity if Missing:** Medium
+
+**Reasoning:** While Adobe Flash is deprecated (EOL December 2020), this header remains relevant for security audits and defense-in-depth. Without proper configuration, attackers could place a malicious `crossdomain.xml` file on your server, allowing Flash/PDF content from other domains to read your application's data and bypass CSRF protections. Many security scanners still check for this header. Setting it to `none` is a simple, zero-cost protection.
+
+**References:**
+- [OWASP: X-Permitted-Cross-Domain-Policies](https://owasp.org/www-project-secure-headers/)
+- [Adobe: Cross-Domain Policy](https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html)
+
+---
+
 ## Summary Table
 
 | Header | Severity if Missing | Ease of Implementation | Security Impact |
@@ -171,4 +257,7 @@ Without Referrer-Policy, clicking any external link would send this full URL (in
 | X-Frame-Options | High | Very Easy | High |
 | X-Content-Type-Options | Medium-High | Very Easy | High |
 | CSP | Critical | Hard | Very High |
-| Referrer-Policy | High | Very Easy | High |
+| Referrer-Policy | High | Very Easy | High |
+| X-XSS-Protection | Low | Very Easy | Low |
+| X-Download-Options | Low | Very Easy | Low |
+| X-Permitted-Cross-Domain-Policies | Medium | Very Easy | Medium |
@@ -17,6 +17,9 @@
 from . import coep
 from . import coop
 from . import corp
+from . import x_xss_protection
+from . import x_download_options
+from . import x_permitted_cross_domain_policies
 
 
 # Registry mapping header keys to analyzer functions
@@ -30,6 +33,9 @@
     coep.HEADER_KEY: coep.analyze,
     coop.HEADER_KEY: coop.analyze,
     corp.HEADER_KEY: corp.analyze,
+    x_xss_protection.HEADER_KEY: x_xss_protection.analyze,
+    x_download_options.HEADER_KEY: x_download_options.analyze,
+    x_permitted_cross_domain_policies.HEADER_KEY: x_permitted_cross_domain_policies.analyze,
 }
 
 # Registry mapping header keys to configurations
@@ -43,6 +49,9 @@
     coep.HEADER_KEY: coep.CONFIG,
     coop.HEADER_KEY: coop.CONFIG,
     corp.HEADER_KEY: corp.CONFIG,
+    x_xss_protection.HEADER_KEY: x_xss_protection.CONFIG,
+    x_download_options.HEADER_KEY: x_download_options.CONFIG,
+    x_permitted_cross_domain_policies.HEADER_KEY: x_permitted_cross_domain_policies.CONFIG,
 }
 
 
@@ -100,4 +109,7 @@ def get_config(header_key: str) -> Dict[str, Any]:
     "coep",
     "coop",
     "corp",
+    "x_xss_protection",
+    "x_download_options",
+    "x_permitted_cross_domain_policies",
 ]
@@ -0,0 +1,102 @@
+"""
+X-Download-Options Header Analyzer.
+
+This module contains configuration and analysis logic for the
+X-Download-Options header which prevents Internet Explorer from
+executing downloaded HTML files in the site's security context.
+"""
+
+from typing import Any, Dict, Optional
+
+from ..config import STATUS_BAD, STATUS_GOOD, STATUS_MISSING
+
+
+HEADER_KEY = "x-download-options"
+
+CONFIG = {
+    "display_name": "X-Download-Options",
+    "severity_missing": "low",
+    "description": "Prevents IE from executing downloads in site context",
+    "validation": {
+        "required_value": "noopen",
+    },
+    "messages": {
+        STATUS_GOOD: "X-Download-Options is properly configured",
+        STATUS_BAD: "X-Download-Options has incorrect value",
+        STATUS_MISSING: "X-Download-Options header is missing - IE may execute downloads in site context",
+    },
+    "recommendations": {
+        "missing": "Add: X-Download-Options: noopen",
+        "wrong_value": "Set value to: noopen",
+    },
+}
+
+
+def analyze(value: Optional[str]) -> Dict[str, Any]:
+    """
+    Analyze X-Download-Options header.
+
+    Validation rules:
+    - Missing: Low severity (IE-specific, legacy)
+    - "noopen": Good
+    - Other values: Bad
+
+    Args:
+        value: Header value or None if missing
+
+    Returns:
+        Finding dictionary with keys:
+        - header_name: str
+        - status: str (good/acceptable/bad/missing)
+        - severity: str (critical/high/medium/low/info)
+        - message: str
+        - actual_value: str or None
+        - recommendation: str or None
+    """
+    header_name = CONFIG["display_name"]
+
+    # Missing header
+    if value is None:
+        return {
+            "header_name": header_name,
+            "status": STATUS_MISSING,
+            "severity": CONFIG["severity_missing"],
+            "message": CONFIG["messages"][STATUS_MISSING],
+            "actual_value": None,
+            "recommendation": CONFIG["recommendations"]["missing"],
+        }
+
+    value_lower = value.strip().lower()
+
+    # Check for correct value
+    if value_lower == CONFIG["validation"]["required_value"]:
+        return {
+            "header_name": header_name,
+            "status": STATUS_GOOD,
+            "severity": "info",
+            "message": CONFIG["messages"][STATUS_GOOD],
+            "actual_value": value,
+            "recommendation": None,
+        }
+
+    # Empty value
+    if not value_lower:
+        return {
+            "header_name": header_name,
+            "status": STATUS_BAD,
+            "severity": CONFIG["severity_missing"],
+            "message": f"{CONFIG['messages'][STATUS_BAD]} - empty value",
+            "actual_value": value,
+            "recommendation": CONFIG["recommendations"]["wrong_value"],
+        }
+
+    # Incorrect value
+    return {
+        "header_name": header_name,
+        "status": STATUS_BAD,
+        "severity": CONFIG["severity_missing"],
+        "message": f"{CONFIG['messages'][STATUS_BAD]} - "
+        f"unknown value '{value}', should be 'noopen'",
+        "actual_value": value,
+        "recommendation": CONFIG["recommendations"]["wrong_value"],
+    }